I currently have a domain running in 2008 R2 mode with all DC's running 2008R2. I have started to configure auditing but am having issues. Right now, I am generating way to many unmeaningful events. I wanted to audit user logon/logoff's but I am also getting all the computer accounts also. How do I stop this?

6 Replies

I do not have the script handy to show you, unfortunately, but I found it a lot easier to tackle this goal by outputting user logon info(date/time/user) to a traditional text file. This was done via Group Policy and Logon Scripts. Quick search through Google and you'll find some examples.

I had read many articles on the subject inlcuding that first one you posted. The second one looks like it might help. It also specifically deals with the Advanced Audit Polices which is what I am looking at implementing.

I think with auditing, especially through 2k8/W7 that logging virtually everything (relevant) & using custom views is one of the better things to try. Rather a bit too much info than missing something.

I think your best bet is to use an event aggregator such as Splunk. You can also do event custom views and setup filters for just the information you need in Event Viewer. Also setting up subscriptions to view the multiple DCs is needed.

0

This discussion has been inactive for over a year.

You may get a better answer to your question by starting a new discussion.